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(54) System and method for managing try-and-buy usage of application programs 



(57) A system and method for managing the distri- 
bution of licensed application programs stored on a 
server over a distributed computer system maintains 
control over the program even after the program has 
been distributed to a client computer from a provider on 
an information server. Protection may include license 
expiration date verification, authorized user ID verifica- 
tion, and protection against decompilation and reverse 
engineering by maintaining the program in an encrypted 
form until verification of the expiration date and user 
identity are complete and the program is ready for de- 
coding, loading into the client computer CPU, and exe- 
cution. A user identifies a program for trial use by any 
conventional means such as by using a network brows- 



er on the World Wide Web. The server recognizes a user 
request to access the application program. The server 
may have an agent on the client computer for performing 
certain predetermined administrative tasks. This agent 
may take the form of an application builder program 
module, provided by the trial application provider which 
is resident on the client computer. The server (including 
the agent) determines whether program access condi- 
tions are satisfied, and if satisfied transmrts a version of 
the program to the client. The transmitted file includes 
an encrypted portion. The server and agent also verify 
that the user is currently entitled to execute the applica- 
tion program including that the trial license has not ex- 
pired at the time the user initiates execution, and gen- 
erates an executable version of the application program. 
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Description 

The present invention relates to systems and meth- 
ods for managing the distribution ot licensed application 
programs and application program components, includ- 
ing the distribution of trial versions of applications and 
components that automatically expire after the expira- 
tion of predefined trial usage privileges. 

BACKGROUND OF THE INVENTION 

' For the purposes ot this document', the term "appli- 
cation program" is defined to include applets anci other 
application program components. A component is an in- 
complete program f ragment. Users can integrate appli- 
cation program components into a new application us- 
ing an appropriate tool, such as the Application Builder 
of the present invention, discussed below. ' 
• ' - ' A number of different "try and buy" systems for dis- 
tributing application programs and other types' of com- 
puter software have been used in prior art systems. The 
most common mechanisms for limiting the rights of the 
users of the trial versions of application programs are 
"time bombs/ which Bisable the program after the expi- 
ration of a* certain date, "usage metering" schemes 
which attempt to meter the number of hours of usage of 
the program and disable it after usage reaches a prede- 
fined limit , and various "capability limitation' schemes 
in which the capabilities of the trial version of the appli- 
cation are so limited that end users are motivated to li- 
cense the standard version of the program. 

? While software security systehis in the past have 
attempted to prevent program copying using a number 
of copy protection 1 schemes," including requiring end us- 
ers to know a password or to possess a physical token 
that enables use of the program, such copy protection 
systems have generally not been used in existing try and 
buy software dissemination * systems. The problem is 
particularly acute when the program is distributed over 
a distributed computer system, because the program file 
sent to a user over a wire or other'cdmmuhication chan- 
nel is inherently cbpyable. ; ' 1 ' " 
- It is a goal of the" "try and buy" system and method 
of embodiments of the preseni invention to prevent us- 
ers from disseminating executable copies of application 
programs to other end users, because those other end 
users have hot necessarily agreed to the licensing terms 
of the program's owner. 

Another goal of the embodiments is to give the own- 
ers of application programs reliable information about 
the parties who have' requested trial use of those pro- 
grams. " ■ 

Another goal of the embodiments is to make acqui- 
sition of limited use rights (e.g., the right to use a trial 
version of a program) as automatic as possible so as to 
make the use of trial versions of programs as easy as 
possible. 

Another goal of the system and method of embod- 



iment of the present invention is to limit generation of an 
intelligible version of a file including an application pro- 
gram to a user only when the user is currently entitled 
to access the file. 

s A further goal of the embodiment is provide a sys- 

tem and method for limiting the period of time and stor- 
age location during which an intelligible version of a file 
is available to a user. 

Another goal of the system and method of embod- 

10 iment of the present invention is to limit generation of an 
executable version of an application program to a user 
only when the user is entitled to execute the application 
program at the time execution is attempted by the user. 

is SUMMARY OF THE INVENTION 

In summary, the present invention provides a sys- 
tem and method for managing the distribution of li- 
censed files including application programs over a dis- 
tributed computer system that maintains control over the 
files even after the file has been distributed from a pro- 
gram provider on a server to an end user on a client 
computer. Protection includes license expiration date 
verification, authorized user verification (with or without 
a.termination date grace period) protection, and protec- 
tion against decompilation and reverse engineering by 
maintaining the application, program file in an encrypted 
form until verification is complete and the program is 
ready for decoding and execution. 

The inventive method and system for managing us- 
age of ah application program initially stored on a server 
coupled to a distributed computer system by a user in- 
cludes recognizing a user request to access an applica- 
tion program, determining whether predetermined ac- 
cess conditions are satisfied, transmitting a version of 
the applicat ion program to the computer associated with 
the user making the request for receipt and storage only 
when the access conditions have been satisfied, further 
verifying prior to program execution that the user is cur- 
rently entitled to execute that received application pro- 
gram, and generating an executable version of the ap- 
plication program from the transmitted version onlyjf the 
verification is affirmative. 



Examples of the invention will now be described in 
conjunction with the drawings, in which: 

Fig. 1 is a block diagram of an embodiment of a dis- 
tributed computer system embodying the present inven- 
tion. 

Fig. 2 is a schematic representation of an exempla- 
ry Web site page used to disseminate trial versions of 
programs that are available for licensing. 

Fig. 3 is a block diagram, of an exemplary header 
record of the stored version of the Application Program 
on a server in a preferred embodiment of the invention. 

Fig. 4 is a block diagram of an exemplary header 
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record of the transmission format of the trial version of 
an application program shown in Fig 3 in a preferred 
embodiment of the invention. 

Fig. 5 is a block diagram of an alternate forrnof an 
exemplary header record of the transmission format of 
the trial version of an application program shown in Fig. 
4 in another preferred embodiment of the invention. 

Fig. 6 is a block diagram of an exemplary header 
record of the execution format of the trial version of an 
application shown in Fig. 4 in a preferred embodiment 
of the invention. 

Fig. 7 is a schematic representation of a menu pre- 
sented by the Application Builder for executing trial ver- 
sions of Application Programs. 

Fig. 8 is a flow chart of an embodiment of the trial 
application program execution method ot the present in- 
vention. .. .. .. 

Fig. 9 is a flow chart of an alternative embodiment 
of the trial application program execution method pi. the 
present invention. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 

Referring to Fig. 1 , there is shown a distributed com- 
puter system 100 having many client computers 102 
and at least one information server computer 104. J n the 
preferred embodiment, each client computer 102 is con- 
nected to the information server 104 via network inter- 
connectivity means such as the internet 106, although 
other types of communication connections could be 
used; While "most client computers are desktop cpmpcit- 
ers^uch as Sun work^tatjphs t 'IBM compatible comput- 
ers arid Macintosh computers, virtually any com- 
puter can be a cjfent computer. One or more users (not 
shown) are associated with each" client computer '102. 

In the preferred embodiment, eachxljent computer 
includes a CPU 1 07. a user interface 108, primary mem- 
ory 11 8 (such as fast random access' me mqry),'/user 
communication interface i 1 9' for communicating with 
the information server computer 104 via communication 
network 106, and additional memory 109 for storing an 
operating system 110, a World Wide V^eb browser pro- 
gram 111 , an Application Builder program 112, and one 
or more Application Programs 1.17. The Application 
Builder program 11 2 arid Application Programs 117cdri- 
tain features provided specifically by the present inven- 
tion. Optionally included among these features is a client 
Licensee ID 103 imbedded in the Application"' Builder 
1 12 and used for access verification as described in de- 
tail below. The Application Builder 112 also "preferably 
includes a pair of public and private keys 113 that are 
unique to the client computer, a program decoder mod- 
ule 114, a license handling' module 115, and a program 
execution module 116. 

The information server 104 includes a central 
processing unit (CPU) 120, primary memory 122 (i.e., 
fast random access memory) and secondary memory 
124 (typically disk storage), a user interface 126. and a 



communications interface 128 for communication with 
the client computers 102 via the communications net- 
work 1 06. 

For .the purposes of the present discussion, it will 
5 be assumed that the information server's secondary 
memory 124 stores: an operating system 130, a World 
Wide Web server application and a corresponding set 
of Web pages 132, a trial licensing application program 
134 for handling the licensing of Application Programs 
10 to end users associated with client computers 102, a 
copy of the aforementioned Application Builder 136 for 
transmission and licensing.to end users, a pair of public 
and private encryption keys 1 37 for the. server, and cop- 
ies of the trial versions of various Application Programs 
*5 138, 140, 1.42 for transmission and licensing to.end us- 
ers. ^. , 

It is also assumed for the purposes ot the present 
discussion that the information server . 104 is a ..World 
Wide Web Server, but other information servers may al- 

20 ternatiyely be employed. The Web Server application 
.1 32,coptrois the server's responses to requests. by client 
computers 102 to retrieve files using standard World 
Wide Web (WWW) protocols. The Webserver Applica- 
tion works with a set of Web source files, which are the 

25 documents and other files or objects that client comput- 
ers 1.02 receive in response to. property formed re- 
quests. The present embodiment does not modify the 
Web Server application 1 32.. Thus, operation of the Web 
Seryer, site insofar as client computers 102, are con- 

30 cerned remains unchanged by the present.embodiment. 
. .Referring to Fig.. 2 there is ..shown a schematic rep- 
resentation of an exempiary.home page 160 of the.Web 
site (information server) 104 ..accessible by a user using 
client ^computer 102. The .home ., page 160 includes a 

35 general information section 163 having menu. selection 
.buttons for t obtaining information about the Try, &,Buy 
^Program 1 65" -Liqensing Terms and Conditions 166, in- 
formation, about the Application Builder 1 67, and .infor- 
.matipn about one or more Application. Programs 163. 

40 For. example, each Application .Program may be de- 
scribed in terms of its functionalijy,, storage require- 
ment, minimum processor requirements for execution, 
monetary costs for permanent versions of the applica- 
tion prograrri, and the like! Licensing terms and condi- 

45 tjons may be Application Program specific, and further 
may contain provisions forspecific Licensees or classes 
of Licensees. 

The home page 160 of the Web site (information 
server) 1Q4 also includes a Trial Version Program Down- 
so load Selection Section 164 having a submenu 169 that 
includes selection buttons for each of several Applica- 
tion Programs as well as a button. 170 for selecting the 
Application Builder. To download a Trial Version of any 
of the listed programs, the user merely selects one or 

55 more programs of interest from the menu in section 1 64. 

Alternately, the Web page may contain specialized 
HTML annotations, such as Java language applets that 
make contact with the user's Application Builder and 
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cause it display remotely available applications as it ihey 
were on a similar organizational looting with locally 
available applications. 

The Application Program file is stored in one or 
more of several different formats depending on where 
in the distributed computer system TOO the file exists or 
is stored. There are four storage formats of particular 
interest: 

• the Server Format, which is the format of the Appli- 
cation Program in Secondary Memory 124 of Infor- 
"mation Server 104 prior to selection by a particular 
user; 

• the Transmission Format, which is the format of the 
Application Program in storage m Secondary Mem- 
ory 1 24 of Information Server 104 after select ton by 
user tor downloading krclient computer 102 : and 

' during transmission to the user ' ' ' - 

• ■ ; *the Client Storage Format! which is the format of 
" : * ' the Application Program in storage in memory 109 

: ' of the client computer 102 after the downloading is 
complete 'but prior to verification and execution (de- 
scribed hereinafter); and 
*' the Execution Format/ which is the format of the Ap- 
plication Program in temporary storage in RAM 118 
and/or CPU 1 07 during execution of the Application 
Program 

The differences in the formats relate generally to ex- 
istence and content of ancillary file information' associ- 
ated with the Application Program and the user (where 
applicable) such as "information- contained in header 
records, and with the encrypted or decoded condition of 
the executable program and other fields. Each of these 
formats is described in greater detail below with respect 
to Figs" 3-6: * ' " v ' " ' 

For the purposes of this document, the terms "de- 
code* and "decrypt" shall be used synonymously to refer 
to the process of reversing the encryption of a set of 
information. Similarly, the adjectives "decoded" and "de- 
crypted t ' shall be used synonymously to refer to a set of 
unencrypted information that was generated from a cor- 
responding set of encrypted informaiion. . • 

in reference to' Fig! 3, a schematic illustration of the 
Server Format 180 of an Application Program trial ver- 
sion 1 36 is shown. The Server Formal includes the non- 
encrypted application program 181 ,'and may optionally 
include information fields for Application ID 1 83 : License 
Termination Date 185, and Licensee ID 184. These files 
are optionat because prior to selection by a particular 
user, the file is generic for all potential users and no such 
information (except the Application ID) is applicable to 
the application program file. The particularized server 
format includes each of the Application ID 183, License 
Termination Date 185, and Licensee ID 184 fields and 
may either be created and stored as an actual file on the 
server or may exist only transiently as the generic server 
format is particularized to the requesting user and en- 
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crypted to generate the transmission format prior to 
transmission to the client computer. Note that the server 
formatted version of the application program could be 
stored in an encrypted form, but decryption followed by 

5 encryption would be required to encrypt the application 
program with the public key associated with the client 
computer Application Builder 112. 

The Server Format of an application program in the 
preferred embodiment also includes a copy of the serv- 

10 er's public key 187 (to be used by client computers) : 
documentation 188 for the application program, as well 
as text 189 representing the trial licensing terms for the 
application program and relicensing terms. 

Once the user has selected an Application Program 

is for trial use the user is associated with a licensed version 
of the Application Builder. This Application Builder li- 
cense may be preexisting or may have been allocated 
to the user in conjunction with selection and download- 
ing of the trial version of an Application Program. In ei- 

20 (h'er situation, the Application Builder is licenced to the 
user and a licensee identifier is associated with that us- 
er. Server 104 includes an Encryption Module 135 that 
encrypts the Application Program stored in Server For- 
mat 180 based on a public key 113 associated with the 

2S user to generate a transmission format of the same Ap- 
plication Program. 

In reference to Fig. 4 : a schematic illustration of the 
Transmission Format 186 of an Application Program th- 
ai version 138 is shown. The transmission format in- 

30 eludes an' encrypted version of the Application Program 
executable code 181 , an Application Program ID 1 83, a 
proper licensee ID for the particular user 184, alicense 
termination date 185 : as well as copies of "the public key 
documentation and license informational fields 187, 

35 188, 189. In the preferred embodiment all fields of the 
Transmission Format 186 are encrypted with the user's 
Application Builder public key 1 1 3 to prevent eavesdrop- 
ping and unauthorized copying or modification of the ap- 
plication prbgram and/or controf information. 

40 Furthermore, in the preferred embodiment the con- 
trol information '(i.e.* header fields 183-135) is first en- 
crypted with the server's private key prior to encryption 
of the entire file 186 with the user's Application Builder 
: public key" In this way double encryption is used to pro- 

45 tect the control information. More generally, it is desira- 
ble that none of the Application Program itself, and none 
of the header fields 183, 184, 185, appear as clear text 
during transmission from server 104 to client computer 
102 over the network 106. 

so While the term "header" fields .or information has 
been applied to the identification information fields in 
this description, and such information fields are shown 
for simplicity, as a plurality of contiguous records in the 
file (e.g.' Figs 3, 4, and 6). it should be understood that 

55 ' the identification information may be placed in any pre- 
determined location in the application program file so 
long as the Application Builder 112 can locate and inter- 
pret the information during the verification and decoding 
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procedures prior to execution of the application pro- 
gram. For example Fig 5 is a block diagram showing 
a version ol the transmission format in which the license 
ID 164. and License Termination Date 185 are located 
within the body oi Application Program 1 , which is split 
into parts A. B. and C Such intermingling of the identi- 
fication and security information withing the body of the 
Application Program is generally applicable to all of the 
formats described. Placement of the identification infor- 
mation within the application program itself enhances 
security by making it extremely difficult for even an au- 
thorized user of the application to locate and alter the 
identification information, including the licensee ID and 
the license termination.date. 

The Client Storage Format of an application pro- 
gram trial version, while not shown in a separate figure : 
is the same as the Transmission Format I86 : ,with a de- 
crypted copy of ( the control information (header f .fields 
183-185) "pre-pended" at the front of the file. The de- 
crypted control inloimalion is not "trusted" by. the Appli- 
cation Builder because it is subject to manipulation by 
the user, but is rather compared with the encrypted con- 
trol information at execution time. In an alternate em- 
bodiment, the Client Storage Format is the same. as the 
Transmission Format, and the control information is not 
stored in clear text form. 

In reference to Fig. 6. a schematic illustration of the 
Execution Format 196 of an Application Program. trial 
version 138 is shpwn. The Execution Format .1.96. in- 
cludes a decrypted and decoded version of the Applica- 
tion Program. It need not necessarily include application 
identifier 183, licensee .identifier 184, or licensee .termi- 
nation date 1 851 Although.such information may be car- 
ried along in the file, it does not represent executable 
code and serves no further security purpose after veri- 
fication and decoding. ... 

In the preferred embodiment, the executable ..code 
is only available transiently during execution of the ap- 
plication Program in RAM 118 or CPIM07 oj.'the.dient 
computer It is not stored in decrypted or decoded form 
on any mass storage device in a human readable, forrh. 
The Execution Format of the Application Program is es- 
sentially a decrypted version of the transmission version 
that is generated by the Application Builder/112 on.th'e 
client computer 102 after the Application Builder, has 
verified the validity of the license for the particular user 
and has decoded the Application Program so. that it. is 
in the proper formal for execution by the client computer 
102. . * " t ; : 

Referring to Fig. 7, after one or more trial Applica- 
tion Programs have been downloaded to and stored on 
client computer 102 a user associated with that client 
computer may decide to execute one of the Application 
Programs. In one embodiment of the invention, the user 
will be presented with a menu 192 on a display screen 
of user interface 103, including a list 193 of available 
application programs. The user may then select an Ap- 
plication Program, for example Application2. The client 



computer will respond to this selection by displaying the 
Expiration Date of the Selected Application 194, and 
may present other information pertaining to execution 
of the selected application. It may for example provide 

5 a description of input/output data types, file formats, re- 
lated programs, and the like to assist the user in using 
the program. This information is found in the documen- 
tation field 188 of the stored application program. Addi- 
tional menus for viewing other information, such as li- 

10 cense terms and relicensing information (from field 1 89) 
may also be provided. These displays may be integrated 
by the Application Builder with similar displays for locally 
stored, fully licensed programs. 

Referring to Fig. G : an embodiment of the method 

*5 300 of the present invention for managing, use of an Ap- 
plication Program by a -user on a distributed computer 
system 100 is shown.. T he Application Program isinitial- 
: ly stored as a Server Format version 180 of the. Appli- 
cation Program on server 104, Execution starts at Step 

20 302 in response to a user's request for ajrial version of 
ah Application Program. At step ( 304.. the server 104 
monitors requests for informal ion. and program access 
from the client computer connected to. the server com- 
puter. Application Builder 112 may act as.an agent for 

2S the server by initiating communication with the ; seryer in 
response to a request by client computet 102 . AJ step 
306 server 104 recognizes a request from a user asso- 
ciated with one of the client computers, 102 to access 
the trial version of an Application program. r , 

30 Upon selecting an application, prog ram (or. the Ap- 

plication Builder) for downioading.-userwill optionally be 
. presented with a reminder that the, requested program 
, is made avajlable.to the. user fpr, trial use only under cqn- 
: : .ditipns .of the. licepse. ; agreement.\The terms, of , the li- 

3S cense agreement are then displayed for theruser/s re- 
view on the .display, screen, and the, user is prompted by 
.the, server (possibly. through tljie. Application Bujlder 112 
, acting.as^n agentjor tbe ; seryei;) Jpaccept^the license 
terms,. In. Pfie embodimentTot the invention, the : accept- 
ance.of .the license is preferebly made. explicitly by, an 
affirmative action, by the use/. befqre t the.selec.ted.appii- 
cation program, will be, .downloaded. For .example, the 
, user may be requested Jo, input a. identifying [name, or 
to retype a verification code such as, the user's. licensee 

45 id for example, presented by the. server for transmission 
to the.server. Alternatively, the acceptance ma^ be. more 
passive, such that unless the user declines to accept 
the license terms, the license is accepted and file down- 
loading commences. 

so At step 308, the server compares predetermined 
program access restrictions for the Application Program 
with client computer access privileges and determines 
whether predetermined access conditions are satisfied 
by the requesting client computer. At step 310, the serv- 
es er determines whether, the client privileges satisfy Ap- 
plication Program access requirements. The access re- 
quirements in the preferred embodiment are (A) owner- 
ship of a valid license for the Application Builder by the 
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user or associated client computer (B) receipt of the us- 
er's Application Builder public encryption key from the 
user's Application Builder, and (C) explicit user accept- 
ance of the licensing terms for the trial version of the 
selected Application Program The information from the 
user will typically identify the user and the type of com- 
puter ptafform beinc used. This information about the 
user can be automatically provided to the owners of the 
requested application program, thereby providing the 
owners with reliable information about the parties who 
have requested trial use of those programs. 

At Step '3i 2. if the access conditions are not satis- 
fied then access to the trial version of the user selected 
Application Program are denied (at least temporarily un- 
til access restrictions are satisfied). However if the ac- 
cess conditions are satisfied (Step 314} then server 10.4 
generates a -Transmission Version of ihe user selected 
Application Program from the Server Format version on 
the server and then transmits the Transmission Format 
version of the requested Application Program to the cli- 
ent computer . The Transmission Format version of the 
Application Program is.preterably generated for a ..par- 
ticular user and contains user identification information 
including a licensee identification code or number ,184 
as described earlier with respect to Fig. 3. Furthermore, 
all or a significant portion of the Application Program 
code is encrypted in the Transmission Format version 
of the^ Application Program. In the preferred embodi- 
ment, the Application Program is encrypted using RSA 
encryption programs with the user's public key being 
used as the. encryption key. As understood, by Jhose 
skiljed intheart, the encrypted Application Program can 
be decoded by corresponding RSA decoding programs 
with the user's private key. 

The transmission formatted .version is received by 
the client computer, and js preferably stoced in memory 
109 in the cjient storage format for. later execution and 
use J . . 

The Application Program now. resides on the client 
computer. While -the user. may. choose to immediately 
execute the program" the user coujd also desire to use 
the program for the.first tjme.or additional times at a fu- 
ture date. It is therefore irnportant to provide a mecha- 
nism for verifying that the client computer is still entitled 
to use the Application Program at the current or ambient 
date, ' ' 

IrVstep 316 the. Application Builder 1 1 2 acting as an 
agent for the server 104 (independent of connection be- 
tween the server 1 04 and the client computer 1 02 at that 
time) verifies prior, to execution of the program that the 
client computer is currently. entitled to execute the Ap- 
plication Program. To perform this "control information" 
verification, the stored, doubly encrypted control infor- 
mation is decrypted using the Application Builder's pri- 
vate key 113 and the server's public key 1 87 (and is op- 
tionally compared with the clear text version of the con- 
trol information). Using the decrypted control informa- 
tion, the Application Builder compares the licensee ID 



184 in the Application Program with the licensee ID or 
IDs associated with the Application Builder and com- 
pares the license termination date 185 in the Application 
Program with the current date. Only when the status of 

5 the user is verified does the Application Builder 1 1 2 de- 
crypt the encrypted Application Program so as to pre- 
pare it for execution. The decrypted Application Pro- 
gram is preferably never stored in non-volatile memory 
of the client computer, and only exists in decrypted form 

io during actual program execution. 

It is recognized that the protection afforded by com- 
paring a license expiration date encoded in the Applica- 
tion Program with the ambient computer date may in 
some instances be circumvented by altering the client 

75 computer ambient date; however, such alteration typi- 
cally introduces sufficient other problems into system 
operation and file management in the user's computer 
that users are not inclined to use such measures. Se- 
curity measures may further include other date checking 

20 procedures, such as checking file creation dales for oth- 
er files on the client's computer to determine if the actual 
date exceeds the ambient date set for the client compu- 
ter, and the (ike. 

. In reference to Fig. 9, a more. detailed description 

2S of a preferred embodiment of the method of the present 
invention is now provided The user instaljs an Applica- 
tion Builder 112 on the client computer 102 computer 
(Step. 402). The Application Builder 112 is a program 
module provided by a software vendor (such as Sun Mi- 

30 crosystems, Inc.) or in conjunction with the Application 
Programs made available by the provider on the server 
over, the distributed computer system. The Application 
Builder acts as a local agent for the Application Program 
provider by performing various security check functions 

35 and program decryption functions. Application Builder 
1 1 2 builds an encryption key (Step 404) after installation 
on client computer In the preferred embodiment an RSA 
private/public key .pair is generated; however, other 
.types of encryption keys may be implemented. 

?o . The user identifies an Application Program that he 
or she is interested in trying out under the try-and-buy 
usage scheme (Step 406). such as for example by using 
a Web browser or the like. An exemplary Web page that 
would be accessed using such a. Web browser is illus- 

45 trated in Fig. 2 and was described above. The user lo- 
cates a program that he wants to try out such as by 
mouse clicking on the Application Program name in the 
palette of submenu 169. The user may also request gen- 
eral information prior to selecting an Application Pro- 

50 gram, or Application Builder for downloading pertaining 
to the try & buy program by selecting menu item 165, 
on the Application Programs available by selecting one 
of menu items 168, on the applicable licensing terms 
and conditions by selecting menu item 166, or general 

55 information on the Application Builder by selecting menu 
item 167. 

Identification of an Application Program for trial use 
initiates a procedure to request a trial license from the 
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try-and-buy server 104 of the distributed computer sys- 
tem (Step 40?) In the preferred embodiment, the Appli- 
cation Builder 1 1 2 acts as the user's agent in requesting 
the trial license fcr the selected try-and-buy Application 
Program and as the server's agent in providing the trial 5 
application and license This activates the Trial License 
Application Program Module (TLAPM) 1 34 in the server 
(Step 410) which confirms that the client computer has 
either a valid licensed copy or valid trial copy of the Ap- 
plication Builder (Step 412). w 

If the client computer 1 02 associated with user does 
not have a validly licensed or trial copy of the Application 
Builder, the client is prompted to review the licensing 
terms and to agree to the terms presented before a trial 
copy of the Application Builder is generated and provid- is 
ed to the use' {Step 414) Acceptance ol the license 
terms by the user may be implicit in making "the request 
for trial license: cr in a preferred embodiment the user 
' will be prompted io explicitly agree r lb the license terms 
before the Application Program (and/or Application 20 
Builder) is liansrnitted to the client computer, for exam- 
ple by making an affirmative response to ah acceptance 
inquiry after the license terms have been presented; and 
before the tnal : and-buy program is sent to the user's 
computer. ' ' ,; 25 

Once the TLAPM 134 in the server has confirmed 
that the client computerhas a valid licensed copy or val- 
id trial copy of the Application Builder it' requests arid 
receives the user's Application Builder Pubiic'Key (Step 
416). 1 ! ' . ' '"" 30 

the TLAPM '134 then 'generates a f rahsm'ission 
Format version 186 of theselected t'ry-and-buyApplica- 
tion Program (Step 418). The Transmission Format ver- 
sion 186 is a version of the Application Prbgrarft gener- 
ated from the Server Format version 1 : 80 of thesarhe 35 
Application Program that is suitable for transmission to 
the user's computer over nonsecure transmission links 
of the Network interconnectivity apparatbs 106. The 
Transmission 'Fbrmat version 1 86" (a j' rs encrypted with 
the client computer's Application Builder Public Key, and '40 
(b) optionally includes a Header' that' specifies trial li- 
cense expiration conditions, such as a trial license ex- 
piration date. The : trial license expiration date may im- 
pose a hard use date limit, or may impose soft use lim- 
itations. : Hard and soft" use limitations are described in ~4S 
greater detail hereinafter. - ? - 

The client computer receives the' encrypted Trans- 
mission Format version of the trial Application Program 
and stores it locally on the computer associated with the 
user (Step 420). The encrypted Transmission Format so 
version is stored in encrypted form on the client compu- 
ter and is decrypted to generate a decoded version only 
when the application is being loaded for execution by 
the' client computer. 

The trial Application Program 117 can only be re- 55 
ceived from the server and stored on the client computer 
in conjunction with execution of the Application Builder 
112 on the client computer. Once the Application Pro- 



gram is stored locally, the client computer can, at a us- 
er's request, initiate execution of the trial Application 
Program (Step 426"i. The Application Builder then veri- 
fies thai the particular client computer has a valid license 
for that particular program and that the license to the 
trial Application Program has not expired. 

In one embodiment of the invention, this verification 
includes reading the Application Program file by the Ap- 
plication Builder (Step 428), and then comparing the Li- 
censee I D 1 84 in the file with a client I D (or a ]ist of Client 
IDs) associated with the Application Builder that is li- 
censed to the client computer (Step 430). It also in- 
cludes comparing the License Termination Date 185 
with the current date (i.e. , the computer's ambient date) 
and verifying that the termination date*1S5 is later than 
the ambient date stored on the client computer (Step 
432). The explicit examination of client ID may not al- 
ways be necessary' since the presence of a validly li : 
censed Application Builder 112 may be sufficient/ secu- 
rity to prevent unauthorized use. The Client ID may be 
provided by the Application Builder 112 licensed to the 
client computer. Typically, possession of a valid Appli- 
cation' Builder license may establish sufficient trust be- 
tween the Application Program provider and the users 
associated with the client computer. " * 

When the Application Builder has completed verifi- 
cation oHhe 'license, it decrypts the trial Application Pro- 
gram (Step 434) using the Application Builder's Private 
Key so that the program may be loaded for execution in 
the client computer CPU. As explained above, the 
stored; dbubiy 'ehcrypted control information is decrypt- 
ed using the Appl i daft jpn Builders private key 11 3* and 
the server's publicrkey 1 87 and then the decrypted con- 
trol information is used to verify that user's rights 'to ex- 
ecute 'the' trial application program. ''' 
'* 1 If may be seen that in* the preferred embodiment, 
the trial Application^ Program* 117 must be launched 
while running the Application Builder 112, because the 
'Application Builder is needed for verification of the li- 
cense (Ciient'lD matches Licensee ID and Termination 
date has not passed) and to decrypt the trial version of 
the application into executable code: All controi ihfornria- 
tibn is verified by the Application Builder against the en- 
crypted copy of the cohtrol information, and verification 
fails if there is a mismatch. Further, the trial version of 
the application program may include further validation 
steps, such as checking the validity of the Application 
Builder's release number in accordance with predefined 
confidential validity criteria. * 

In this manner, the time during which the Application 
Program exists in a human readable form is limited in 
time (during execution of the Application Program) and 
in storage location (in processor memory). Limiting the 
time and physical locatfon of unencrypted program code 
minimizes the opportunity for unauthorized copying of 
unencrypted code. Even if the encrypted program were 
to be copied, it cannot be used without a licensed Ap- 
plication Builder for that client computer, because the 
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matching Application Builder's private key. which is 
unique for each client computer on which it is installed 
is required lor decryption. * 

Restrictions and procedures similar to those de- 
scribed below tor the Application Program may be ap- 
plied to requesting and receiving a trial version of the 
Application Builder 112 so that trial versions of the ap- 
plications may be obtained and executed. In the pre- 
ferred embodiment trial versions of the Application 
Builder 1 1 2 contain a time bomb that prevents operation 
of the program after a threshold date has passed. 

If the Application Builder in Steps 428-432 deter- 
mines that the Trial License to the Application Program 
has expired, the action taken by the Application Builder 
depends on which of two alternative expiration date pro- 
cedures are implemented: a hard expiration date proce- 
dure or a soft expiration date procedure. 

When a hard expiration date procedure is imple- 
mented, the Application Builder causes a message to 
be presented to the user on the client computer that the 
trial version of the Application Program has expired and 
that the Application Program previously made available 
for use to the user must now be licensed with a new 
license. Under certain conditions, the user may be given 
an opportunity to obtain another trial license: however 
it is anticipated that it the user is offered more than one 
trial license on the same Application Program, the 
number of such trial licensees offered may be limited to 
minimize possible trial use abuse. For example it is ex- 
pected that where more than one trial license is offered 
for a single application, the total number of opportunities 
will be in the range of one to ten (1-10) and preferably 
in the range of one to three (1-3) trials. 

If a soft expiration date procedure is implemented, 
the user is warned that the trial version ol the program 
has expired, and that while the user can continue to use 
the trial version for a short period of time, by a future 
termination date "year/month/day" it will be necessary 
for the user to obtain a licensed copy of the Application 
Program., or a new trial version, in order for the user to 
be able to continue using the Application Program. 

The soft expiration date version has the advantage 
that the provider is not put in the position of suddenly 
preventing use of its Application Program by the user, 
so that for example, the user may complete a task with 
ample warning. The future termination date given in the 
soft expiration date warning may either be a number ol 
days in the future from the expiration date (e.g. 7 day 
grace period) or may be computed as a number of days 
forward from the ambient date on which the warning is 
given to the user. The later procedure has the advantage 
that the program will not expire without some warning to 
the user. Other soft termination date computation 
schemes may also be implemented. Particular termina- 
tion procedures may be provided to different classes of 
users or even to particular users on the basis of the client 
ID associated with the Application Builder 



Claims 

1 . A method for managing usage of an application pro- 
gram by a user on a distributed computer system, 
5 said application program being initially stored as a 

stored version of said application program on a 
server coupled to said distributed computer system, 
said method comprising the steps of: 

to recognizing a user request to access said ap- 

plication program: 

determining whether predetermined access 
conditions are satisfied: 

transmitting a transmission version of said ap- 
'5 plication program to a computer associated 

with said user for receipt and storage only when 
said access conditions have been satisfied: 
verifying prior to execution of said program that 
said user is currently entitled to execute said 
20 received application program, and 

generating an executable version of said appli- 
cation program from said transmission version 
only if said verification is affirmative. 

25 2. The method in Claim 1 , wherein said predetermined 
conditions comprise ownership of a valid license to 
an application builder module which performs said 
verifying and generating steps. 

30 3. The method in Claims 1 or 2, wherein said deter- 
mining step includes: 

providing said user with ah opportunity to sat- 
isfy and accept said predetermined but as yet 
35 unsatisfied access conditions; and 

" recognizing explicit acceptance of said access 
^ conditions by said 'user. 

4. The method in Claim 3, including providing an op- 
^o ' portunity to accept a trial license for said application 

program. 

5. The method in Claim 2, wherein said transmission 
version of said application program comprises a file 
that is at least partial ly" encrypted. 

6. The method in Claim 5, wherein said step of gener- 
ating an executable version of said application pro- 
gram from said transmission version comprises de- 

50 crypting said encrypted portion. 

7. The method in Claim 6, wherein 

said transmission version of said application 
program is encrypted with a public key associated 
ss with said user, said decryption is performed with a 

corresponding private key, and said user associat- 
ed public key and' corresponding private key are 
generated by said application builder module. 
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A program usage management system for manag- 
ing usage of an application program by a user as- 
sociated with a client computer on a distributed 
computer network, said system comprising: 



cation program with a corresponding private key, 
and said user associated public key and corre- 
sponding private key are generated by said appli- 
cation builder module. 



a server coupled to said distributed computer 
system and having memory, storage for stGring 
said application program: 
a controller coupled to said client computer for 
recognizing a user request to access said ap- io 
plication program and for determining whether 
predetermined program access conditions as- 
sociated with said application program are sat- 
isfied by said client computer; 
a program file formatter jor generating a trans- 7 5 
mission version of said program tile that incor- 
porates identification information associated 
with said client and a version of said application 
program that is at least partially encrypted, said 
program lile tormaller responsive .io said con- 20 
troller to generate said transmission version on- 
ly when said access conditions are satisfied; 
a transmitter for transmitting said transmission 
version of said application program to. said cli- 
ent computer associated with said user for re- 
ceipt and storage only when said access con- 
ditions have been satisfied; ' . 
a license verifier for verifying prior toexecution 
of said application program by said client com- 
puter that the user associated with said client 
computer is currently entitled to execute said 
application program: and 
a program decoder coupled to said client com- 
puter for generating a. decoded, machine exe- 
cutable version of. said application program 
from said transmission version of said applica- 
tion program only if said license verifier verifies 
that the user associated with said client com- 
puter is currently entitled to execute said appli- 
cation program. . .. 40 



25 



30 



35 



9. The system in Claim 8, wherein said controller in- 
cludes an application builder program module in- 
stalled and executing on said client. computer, said 
application builder program module includes said li- 45 
cense verifier and said program decoder 

1 0. The system in Claim 9, wherein said predetermined 
program access conditions associated with said ap- 
plication program include receipt'of an encryption so 
key from a valid copy of said application builder pro- 
gram on said client computer. 



11. The system in Claim 9, wherein 

said transmission version of said application 
program is at least partially encrypted with a public 
key associated with said user, said program decod- 
er decodes said transmission version of said appli- 
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